STEP OUT OF THE BULLS-EYE:Protect Your OrganizationAgainst Advanced Threatsand Targeted Cyberattacks

kaspersky.com/business

Cybersecurity is a major concern in both the private and public sectors. Targeted attacks

aimed at commercial and government organizations are on the rise, in both frequency and

severity. Computer networks and systems continue to be targets of intrusions, exploitation,

and data theft by a variety of cybercriminals searching for sensitive financial information,

personally identifiable information (PII) such as social security numbers, as well as geopolitical

knowledge and corporate intelligence.

In recent years, threat actors have become increasingly focused on targeting corporations

to obtain sensitive information for financial profit or economic espionage. Regardless of the

adversaries motives, corporations understand the need to implement defensive measures to

secure their infrastructure and sensitive data while mitigating the risk of future attacks.

This whitepaper outlines the cybercrime landscape, advanced threats, targeted attack

adversaries and their motives, the latest threats exposed, popular techniques, and strategies

for preventing and mitigating attacks.

THE DYNAMIC AND DANGEROUSONLINE WORLD

Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a companys network is easier than it sounds.

~ Costin Raiu , Director, Global Research & Analysis Team , Kaspersky Lab

Even though targeted attacks are highly

publicized and a predominant topic of

conversation among corporate IT security

staff, the majority of incidents originate from

cybercriminals conducting mass-malware

campaigns. These campaigns are often

simplistic in nature and lack any high level

of technical sophistication. Nevertheless,

they account for the largest number of

corporate IT security incidents.

According to research compiled by B2B

International, malware is currently the

leading cause of serious data loss events.

Many targeted attacks, like phishing and

Distributed Denial of Service (DDoS),

actually have malware at their core.1

Corporations can help protect themselves

against these attacks and fortify their IT security

perimeter immediately by implementing basic

security practices, such as automated patching

and application control combined with a

reliable endpoint protection solution. In

addition, educating employees about social

engineering and phishing campaigns will

strengthen your companys security awareness,

which will assist in decreasing your infection

vector overall.

THE CYBERCRIME LANDSCAPE

1. B2B International and Kaspersky Lab, IT Security Risks Survey 2014, September 2014

After a security breach, data loss is only the tip of the financial iceberg the true cost is much greater. There are obvious hard costs such as additional security measures and legal advice, but brand damage and reputation are arguably much larger.

~ Costin Raiu , Director, Global Research & Analysis Team , Kaspersky Lab

xxxxx

xxxxx

xxxxx

Advanced threats are complex attacks, consisting of many different components,

including penetration tools (spearphishing messages, exploits etc.), network propagation

mechanisms, spyware, tools for concealment (root/boot kits), and other, often sophisticated

techniques, all designed with one objective in mind: to provide cybercriminals with

undetected access to sensitive information.

Advanced attacks target any sensitive data; you dont have to be a government agency,

major financial institution or energy company to become a victim. Even small retail

organizations have sensitive client information on record; small banks operate remote

service platforms for customers and businesses of all sizes process and hold payment

information that is dangerous in the wrong hands. As far as attackers are concerned,

size doesnt matter: Its all about the information. Even small companies are vulnerable

to advanced threats and need a strategy to mitigate them.

ADVANCED THREATS

High-profile targeted attacks on enterprises are becoming increasingly widespread. Thousands of businesses have already been hacked and had their sensitive data stolen resulting in multi-billion dollar losses. Cyberespionage is a tangible and growing global threat today and fighting it is one of the principal tasks weve set ourselves. ~ Costin Raiu , Director, Global Research & Analysis Team ,

Kaspersky Lab

TARGETED ATTACK ADVERSARIES AND THEIR MOTIVESTargeted and multi-component attacks are a steadily increasing trend particularly when

it comes to businesses, where criminals are launching sophisticated, tailored attacks based

on well-researched organizational vulnerabilities. Targeted attacks come from a variety of

threat actors including advanced persistent threat groups, politically driven hacktivists, and

more advanced cybercriminals who offer their services for hire. Twelve percent of businesses

surveyed by Kaspersky Lab reported run-ins with targeted attacks, with the combined costs

of damages, remediation and other reactive spending averaging $2.54 million for enterprise

organizations and $84,000 per mid-sized businesses.2

Depending on the adversaries operational motives and objectives, the information identified

as valuable will vary. However, its important to note that, regardless of the motive, attackers

are targeting very specific information from a specific set of victims, and they will relentlessly

customize and optimize their techniques until they successfully realize their objective.

RESEARCHERS ARE SEEING AN UPSURGE IN MALWARE INCIDENTS ATTACKING BANKS. ONCE THE ATTACKERS GOT INTO THE BANKS NETWORKS, THEY SIPHON ENOUGH INFORMATION TO ALLOW THEM TO STEAL MONEY DIRECTLY FROM THE BANK IN SEVERAL WAYS:

Remotely commanding ATMs to dispose cash

Performing SWIFT transfers from various customers accounts

Manipulating online banking systems to perform transfers in the background3

Cybercriminals will either provide the hijacked information to the third party who hired

them to steal it, or they will repackage and resell the data underground to interested parties,

such as nation-states or competing organizations. Earned through years of hard work and

investment, stolen intellectual property enables third parties to accelerate their technological

and commercial developments while weakening corporations intellectual and competitive

advantages in the global economy.

3. Kaspersky Lab, Global Research and Analysis Team, Kaspersky Security Bulletin 2014, December 2014 2. Kaspersky Lab, Global IT Security Risks Report, November, 2014

One of the biggest challenges in defending against targeted attacks is being able to

correlate data and identify attack patterns amidst the high volume of incidents coming from

disparate sources at various times. With careful observation, research and proper analysis,

however, concrete information can show similarities in targeted attack campaigns.

In 2013 and 2014, Kaspersky Labs Global Research and Analysis Team (GReAT) researchers

published detailed reports revealing valuable information about several large-scale targeted

attack campaigns, with code names such as Red October, Winnti, NetTraveler, Icefog,4 Regin,5

DarkHotel 6 and Crystal Ball. 7 In 2015, Kaspersky Lab and law enforcement agencies around

the globe investigated an advanced threat called Carbanak that was responsible for the theft of

an estimated $1 billion dollars from up to 100 financial institutions worldwide.8

Kaspersky Labs expert reports carry heavy weight because their substantive and exhaustive

content connects the disparate dots and provides corporations with practical information

that can be used to improve security procedures and mitigation efforts immediately.

ATTACKS EXPOSED

4. Kaspersky Lab, Global Research and Analysis Team, Red October Detailed Malware Descriptions, 2013

5. ThreatPost, Costin Raiu on the Regin APT Malware, November 2014, https://threatpost.com/costin-raiu-on-the-regin-apt-

malware/109548

6. SecureList, The DarkHotel APT, November 2014, https://securelist.com/blog/research/66779/the-darkhotel-apt/

7. SecureList, Kaspersky Security Bulletin 2014: A Look Into the APT Crystal Ball, December 2014

8. SecureList, The Great Bank Robbery: the Carbanak APT, February 2015, https://securelist.com/blog/research/68732/the-great-bank-

robbery-the-carbanak-apt/

IN 2015, KASPERSKY LAB AND LAW ENFORCEMENT AGENCIES AROUND THE GLOBE INVESTIGATED AN ADVANCED THREAT CALLED CARBANAK THAT WAS RESPONSIBLE FOR THE THEFT OF AN ESTIMATED $1 BILLION DOLLARS FROM UP TO 100 FINANCIAL INSTITUTIONS WORLDWIDE.

The primary method for infecting targeted organizations is sending spearphishing

emails to targets. These emails are rigged against common vulnerabilities found in

corporate applications or programs. Once infected, a malicious program is installed

on the victims machine, which is usually a remote administration tool or backdoor

Trojan. This allows the attacker to control the machine and bypass typical security

perimeters. Attackers begin to move laterally across the network, patiently attempting

to elevate their privileges and getting access to credentials of IT administrators,

managers and executives. Target data is identified, collected and exfiltrated via the

remote administration tool, sending the information back to the operations command

and control server. The compromised system is completely owned and under the

control of its attackers, enabling for more information collecting, infection spreading

or continued surveillance until the malicious behavior or program is identified.

ANALYZING THE OPERATIONAL PLAYBOOK FOR TARGETED ATTACKS

Using this technique, attackers have successfully

compromised organizations across every sector, including

government and defense organizations, commercial

enterprises, financial institutions and scientific research

institutes. Organizations are being compromised using

rudimentary attack techniques because they are easy

and because companies are vulnerable due to the lack of

patch management, control policies and updated security

configurations.

A common alternative to infecting targets is infecting legitimate websites with malicious

resources and exploits. The basic idea of this type of attack is to find and infect the sites that

are most often visited by the companys employees. Recently, the site of the U.S. Department

of Labor was infected, but it is assumed that the real target of the attack was the Department

of Energy (DOE). The criminals were trying to infect the computers of DOE employees who

regularly visited the Department of Labors website.

When a staff member at the company under attack opens the infected site, the code injected or

planted in the body of the page secretly redirects the browser to a malicious site that contains

a set of exploits. Malware posted on infected websites; for example, a server script, often

acts selectively to implement malicious code in pages sent to the user who is most relevant

to the targeted company. Thus the adversaries can hide the targeted attack from antivirus

companies and IT security experts.

The attackers also try to infect trusted, legitimate sites. In these cases, even when users must

carry out additional steps to run the exploit (e.g., to turn on JavaScript, to allow execution of

the Java applet to confirm the security exception, etc.), they are likely to innocently click

Allow and Confirm. Adversaries can hide the targeted attack from antivirus companies

and IT security experts.

WATERHOLING ATTACKS 55%

OF ORGANIZATIONS LOST SENSITIVE BUSINESS DATA DUE TO INTERNAL AND EXTERNAL THREATS IN THELAST 12 MONTHS 9

9. B2B International and Kaspersky Lab, IT Security Risks Survey 2014, September 2014

SOCIAL VULNERABILITY

The majority of targeted attacks are delivered

via email to employees. The attackers try to

trick employees into opening these phishing

communications and clicking on dangerous

links. The attacks are not very sophisticated,

but theyve been incredibly successful in

infecting organizations across all sectors.

In June 2013, Kaspersky Labs experts

published an analysis report about

Operation NetTraveler, which was an active

cyberespionage campaign that infected more

than 350 high-value targets using spear-

phishing emails and common vulnerabilities.

Organizations that were compromised

spanned a number of industries including

military, oil and gas, aerospace and defense,

human rights activists, energy, government,

trade, and commerce.

The NetTraveler campaign was conducted

by an APT organization that was focused on

stealing data related to space exploration,

nanotechnology, energy production, nuclear

power, lasers, medicine and communications.

The majority of targeted organizations were

located in Japan and South Korea and were

within the military, telecom, shipbuilding,

maritime and technology sectors.

In October 2013, Kaspersky Labs research

team issued another in-depth analysis about

the cyberespionage campaign Icefog, which

was an economic espionage campaign

conducted by an APT group who offered their

services to third-party organizations for hire.

The Icefog group targeted subcontractors

in the global supply chain who provided

dual-use technology, which could be used

for commercial expansion as well as military

modernization efforts.

The attackers used spearphishing emails with

common vulnerabilities found in Microsoft

Word, Microsoft Excel, Java, and in Hangul

Word Processor, which is a commonly used

program in South Korea. One example of

a prevalent spearphishing email used a

common Microsoft Office exploit. Once

opened, the email showed an image of

scantily clad women while the vulnerability

was exploited in the background.

Once the vulnerability was exploited, the

Icefog group would install a backdoor

espionage kit that gave the attackers full

control of the infected machine. The group

would quickly pivot through the network to

locate the target data and steal it. Once the

data theft operation was complete, the group

would abandon the infected machines in a

type of hit-and-run technique.

The hit-and-run technique was uncommon

compared to the long-term surveillance

campaigns that other APT groups typically

conducted. While analyzing the campaign,

Kaspersky Lab found that Icefog focused on

specializing in this hit-and-run mentality

by implementing technical optimizations to

its espionage toolkit, which made it more

agile and evasive. This, combined with

the diverse group of target organizations,

indicates that the Icefog criminals were

acting as cyberthieves, hired by different

customers who each had an individual

agenda and priorities. In the future,

Kaspersky Lab expects this hit-and-run

trend to increase as more groups of

specialized cyberthieves are hired to

carry out data-theft operations.

Although the topic of information sharing is often used synonymously with the term

disclosure when discussing cybersecurity incidents and collaboration, the two can and

should be viewed independently. By analyzing large-scale targeted attack campaigns and

their characteristics, Kaspersky Lab provides corporations with practical information that

achieves two immediate objectives:

Mitigate the risk of future attacks by improving day-to-day security

operations and practices

Perform verification and security assessment tests to ensure you

havent already been compromised

To protect against exploits, ensure all applications, programs and operating systems are

installed with the latest patches and security updates. Implementing an automated patch

management system is highly recommended.

PREVENTING TARGETED ATTACKS: Security Recommendations and Mitigation Efforts

Targeted attacks often exploit popular

programs like Microsoft Office,

Adobe Reader, Adobe Flash,

Internet Explorer, and Oracle Java,

so verifying these programs are patched

should be the first priority, in addition

to operating systems and third-party

applications. Educate employees on the use

of social engineering in targeted attacks.

Employees should be cautious of clicking

any URLs or opening attachments in email.

Attackers can also send suspicious URLs

leading to infected websites to employees

over social networks, IRC messages and

personal email accounts. While it is also

the job of an email server security system

to block malicious links from email bodies,

its always a good idea to restrict access to

these sites from workstations. This can be

done using web control tools that block URLs

in accordance to a dynamically updated

malicious URL lists. It is also possible to block

websites with a specific content. For larger

and more complex IT infrastructures, patch

implementation can take longer, increasing

the risk of the publicized vulnerabilities

being exploited. Consider using advanced

protection technologies such as Automatic

Exploit Prevention, which uses Data

Execution Prevention and addresses space

layout randomization mechanisms

methods of heuristic analysis and control

over executable code. This enables Automatic

Exploit Prevention to block the execution of

malicious code before its patched or when

a zero-day vulnerability is being used

1

2

USING NETWORK TRAFFIC CONTROL TECHNOLOGY (FIREWALLS, INTRUSION PREVENTION SYSTEMS AND INTRUSION DETECTION SYSTEMS), SYSTEM ADMINISTRATORS AND IT SECURITY SPECIALISTS CAN NOT ONLY BLOCK DANGEROUS NETWORK ACTIVITY, BUT ALSO DETECT ANY PENETRATION INTO THE CORPORATE NETWORK. FIREWALL AND INTRUSION PROTECTION SYSTEMS AND INTRUSION DETECTION SYSTEMS CAN:

Block incoming and outgoing connections by port, domain name and IP address, and/or protocol

Generate statistical analysis of traffic (NetFlow) for anomaliesCollect suspicious network traffic for further analysisDetect and block outgoing commands or similar output sent via the Internet

Downloads of suspicious files from the Internet (additional malware modules)

NETWORK TRAFFIC You must protect transmissions of confidential information (IP addresses, logins, computer

names, corporate documents, credit card numbers, etc.). Firewalls, intrusion prevention

systems and intrusion detection systems can detect anomalies in the way network nodes

interact as soon as the malicious code tries to contact the command center or actively

scans the corporate network for other systems, open ports, shared folders, etc.

This anomaly detection allows IT security experts to promptly respond to the threat,

preventing further intrusion that might compromise the corporate network.

Application controls can block the launch of untrusted programs and modules. This

behavior should be prohibited, but once a system is infected, additional applications

under these names will appear as attackers and install additional modules or programs

that are disguised as system processes.

Systems that require the highest protection level should be safeguarded by the default deny

mode, which can block any program from starting up if it is not included in the white list.

APPLICATION CONTROL AND SYSTEM PROCESSES

TO PREVENT ATTACKERS FROM GAINING CONTROL OF THE SYSTEM, IT SECURITY SPECIALISTS SHOULD:

Prevent both trusted and potentially vulnerable programs from implementing code in other processes

Restrict applications access to critical system resources Block potentially dangerous functions (network access, installation of drivers, creation of screenshots, access to a webcam or microphone, etc.)

File and disk encryption can restrict local access to the protected

information on computers, mobile devices and open network folders.

Data that needs to be transferred can be done in an encrypted form. With

encryption, even if the attackers manage to intercept and download

something, they wont be able to read the content of the encrypted files.

ENCRYPTION

IF THE SCAMMERS SEIZE CONTROL OF THE SYSTEM AND PENETRATE THE CORPORATE NETWORK, THEY MAY TRY TO FIND AND UPLOAD FILES WITH INFORMATION THAT IS POTENTIALLY IMPORTANT FOR THEM, INCLUDING:

Corporate documents and security policies Files containing credentials Configuration files Source codes Private keys Customer data, including PII, payment information, health and insurance-related data

Many of these measures can be automated. For example, if security policies are violated,

special software shows the user a warning message. Systems management technology

can be used to search for network services and unauthorized devices as well as

vulnerabilities and automatic updates of vulnerable applications.

SECURITY POLICIES IN ISOLATION, NONE OF THE PRACTICES DISCUSSED ON THE PREVIOUS PAGES CAN EFFECTIVELY PREVENT A TARGETED ATTACK. IN ORDER TO PROTECT THE CORPORATE NETWORK, ALL THESE TECHNOLOGIES MUST BE WELL INTEGRATED AND CAREFULLY TUNED. HOWEVER, SYSTEM ADMINISTRATORS AND IT SECURITY SPECIALISTS SHOULD ALSO USE ADMINISTRATIVE PROTECTION MEASURES, INCLUDING THE FOLLOWING USER EDUCATION PRACTICES:

Ensure that all users know and observe company security policies

Inform users about possible consequences of the Internet threats, such as phishing, social engineering or malware sites

Instruct all users to notify IT security staff about all incidentsMaintain control over user access rights and privileges; any rights and privileges should be granted only when necessary

Record all rights and privileges (access) granted to the users

Scan the systems for vulnerabilities and unused network services

Detect and analyze vulnerable network services and applications

Update vulnerable components and applications. If there is no update, vulnerable software should be restricted or banned

JOIN THE CONVERSATION

Learn more at usa.kaspersky.com/business-security

Watch us on YouTube

Like us on Facebook

Review our blog

Follow us on Twitter

Join us on LinkedIn

GET YOUR FREE TRIAL NOW

Visit Knowledge

Center

PROTECT YOUR BUSINESS NOW. Kaspersky Lab is the worlds largest privately held vendor of endpoint protection

solutions. The company is ranked among the worlds top four vendors of security

solutions for endpoint users.* Throughout its more than 17-year history Kaspersky Lab

has remained an innovator in IT security and provides effective digital security solutions

for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company

registered in the United Kingdom, currently operates in almost 200 countries and

territories across the globe, providing protection for over 400 million users worldwide.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was

published in the IDC report Worldwide Endpoint Security 20142018 Forecast and 2013 Vendor Shares (IDC #250210,

August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.

ABOUT KASPERSKY LAB

2015 Kaspersky Lab ZAO. All rights reserved. Registered trademarks and service

marks are the property of their respective owners.